Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Java HTTP proxy vulnerability

Java HTTP proxy vulnerability

by Nikola Strahija on March 5th, 2002 The Java security model is designed to allow code from an untrusted source, usually web applets, to be safely executed.


Reference wal-01
Version 1.0
Date March 05, 2002

===Cross references

Sun Security Bulletin #00216
Microsoft Security Bulletin MS02-013

Vulnerability identifier CAN-2002-0058 (under review)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0058

===Classifications

Java, networking, HTTP
Web browsers, applets
Unchecked network access, HTTP proxy connection hijacking

===Abstract problem description

=Background
The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed.

=Problem
An applet could do irregular, unchecked HTTP requests.

=Consequence
Network access restrictions that apply, can be bypassed.
Only systems that have a HTTP proxy configured can be vulnerable.

One particular nasty exploit is where a remote server, aided by a
hostile applet, hijacks a browsers persistent HTTP connection to its
configured HTTP proxy.

===Affected software & patch availability; vendor bulletins

=Sun

Bulletin Number: #00216
Date: March 4, 2002
Title: HttpURLConnection
http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl
(At the time of this writing bulletin 216 was not available on
the website yet.)

=Microsoft

Microsoft Security Bulletin MS02-013
Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS02-013.asp
(URL is wrapped, please fix.)

=Netscape
Sun JVM (Java Virtual Machine) Issue
http://home.netscape.com/security/


===Vendor contact
Shortly after I, more or less by coincidence, discovered the issue, I
reported it to Sun on April 07, 2001. They communicated it to their
Java licensees, and coordinated a synchronized response.

=Free Java implementations
I audited both Kaffe and GNU Classpath class libraries, and to the
best of my knowledge, they are not vulnerable to this issue. Anyone
out there developing a free(TM) Java, please contact me if you have
questions or concerns, and I will be happy to assist you in any way I
can.

===Disclosure policy
I do not plan to release details of the vulnerability, that could make
it easier for crackers to get exploits, before a three month grace
period has expired. Customers should not to assume that the lack of
vulnerability details at this time will prevent the creation of
exploit programs.

===Detailed problem description
No details are provided at this time.
See Disclosure policy.

===PoC-exploit
I supplied Sun with a PoC-exploit, and they passed it on to other
vendors. No further distribution is expected.

===Software I tested/audited myself.
Sun/Blackdown 1.1.7/8, 1.2.2, 1.3.0/1 linux/win32
Netscape 4.61 default Java Runtime linux
MSIE 5.0 default Java Runtime win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03

===Acknowledgment
Thanks to the vendors for addressing the issue. Special thanks to
Sun, in particular Chok Poh, for coordinating.

===Disclaimer & Copying
This comes with ABSOLUTELY NO WARRANTY!
Copying in whole and quoting parts permitted.

===History
Version 1.0 is the first release of this document.
Updates http://www.xs4all.nl/~harmwal/issue/wal-01.txt

===Contact
Author Harmen van der Wal
Mail [email protected]
PGP http://www.xs4all.nl/~harmwal/harmen.pgp.txt

===End===

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8hBnWqX9LFhm8cvYRAsXwAJ4jr1pm6lTqarPmbZNhuc4gGAwNSACeMIg9
nEyfEY6Us0AxLR0FoKFM/Q0=
=a9rw
-----END PGP SIGNATURE-----

--
Harmen van der Wal - http://www.xs4all.nl/~harmwal/




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »